敢聊不用金币进行聊天邀请(屌丝福利来了)

漏洞详情

披露状态:

2014-02-12: 细节已通知厂商并且等待厂商处理中
2014-02-13: 厂商已经确认,细节仅向厂商公开
2014-02-23: 细节向核心白帽子及相关领域专家公开
2014-03-05: 细节向普通白帽子公开
2014-03-15: 细节向实习白帽子公开
2014-03-29: 细节向公众公开

简要描述:

敢聊ios客户端,使用代理进行网络请求的截获和伪造,可以不用金币直接跟在线的人进行聊天,还可以赚金币。

详细说明:

敢聊的ios客户端的请求没有加密,使用金币与人聊天时返回的结果为

{"code":1000,"name":"/user/match","data":{"user_gold":1,"match_type":4,"myself":{"user_id":"1130411","user_name":"nova1130411","intro_text":"","avatar":"http://staticnova.ruoogle.com/nova/default/avator/m/defaultAvatar_m_8.jpg","exp":"30","gold":"1","constellation":"0","gender":"1","nick":"别跟我得瑟你不行","height":"176","birthday":"","blood_group":"0","lastlogin_at":"2014-02-07T13:25:11+0800","max_chatgroup":"1","closed_chatgroup":"0","city_name":"直辖市 上海","city_code":"310100","login_type":"0","isfake":"0","silentmode_is_on":"0","hard_help":"0.62","canGetGoldByHardHelp":"0","video":"0","created_at":"Feb 7, 2014 12:36:23 AM","longitude":"121.5779502083657","latitude":"31.20048913817307","vip":"0"},"user_exp":30,"user":{"user_id":"1053409","user_name":"nova1053409","intro_text":"","avatar":"http://staticnova.ruoogle.com/photo/1111049/201402012345052_784049_266x266.jpg","exp":"400","gold":"0","constellation":"2","gender":"2","nick":"倾尽年华终是梦。","height":"165","birthday":"1996 年5月13日","blood_group":"3","lastlogin_at":"2014-02-07T13:29:51+0800","max_chatgroup":"2","closed_chatgroup":"0","city_name":"江苏省 徐州","city_code":"320300","login_type":"0","isfake":"0","silentmode_is_on":"0","video":"0","created_at":"Feb 6, 2014 11:19:37 PM","longitude":"117.024941","latitude":"34.359381","vip":"0"},"room_count":3}}



后面使用代理转发到本地,把需要聊天的人的userid和user_name进行修改,然后点击邀请聊天就可以跳过限制跟该用户进行聊天,并且如果结束聊天的话,系统会返还人品用来兑换金币。

漏洞证明:

1.png



哈哈,进去跟她聊了。

2.png





另外这个应用的图片虽然客户端只能看时间限制内,但是代理可以拿到存储的地址,要玩的朋友小心点哈~~

修复方案:

还是需要加密,验证稍微多点。

版权声明:转载请注明来源 shaobojohn@乌云


漏洞回应

厂商回应:

危害等级:低

漏洞Rank:5

确认时间:2014-02-13 09:55

厂商回复:

谢谢反馈漏洞,已修复

最新状态:

暂无


漏洞评价: